ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.

com 

Authentication: process of identifying the “real” identity

Authorizations: what the identified user can do
Confidentiality the communications are kept private
7 goals of Security? Integrity none of the information has been tampered
Repudiation denying that you have done something.
Non-repudiation cannot deny having done something
Availability gets to their resources when they need to.

A hacker may gain access to a system and plant a

What is behind the threat “Planting”?
program to enable them to access that computer later.

Penetration, Authorization violation, Planting,

Eavesdropping, Tampering, Denial of service,
What are the 11 threats listed in the course?
Repudiation, Flooding, Masquerading, Spoofing, Buffer
overflow

A hacker can grab a connection and communicate with

What is behind the threat “Tampering”?
both the client and the server. Once the hacker has
grabbed the connection he could change the data.

Which kind of attack makes the server unavailable?

There are several ways to do this, such as snap the
A denial of service
network cable, physically destroy the server, or unplug it
from the network.

1 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

How is it called when programs can be written that

modify the IP address of the source of the TCP/IP
Spoofing
packet, to fool the network into thinking that the packet is
coming from within the network.

When an application receives data that it is not expecting

or prepared for, unpredictable results can occur. This
Buffer Overflow
can lead to vulnerability within the server. How is this
threat called?

• Technical safeguards (for example firewall,

Encryption, PKI, certificates, access control)
• Organizational safeguards (for example rules or
3 categories of safeguards? guidelines)
• Environmental safeguards (for example fire
detection)

• General Security policy.

• IT Security policy
3 types of security policy
• Configuration documentation

Which protocol is used between the SAP GUI and the

DIAG Protocol
Server?

2 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

Which protocol is used between SAP Servers? RFC, Remote function call

Which SAP product transforms the traditional SAP The ITS, Internet Transaction Server
applications to Web-based transactions, so that they are
accessible using Internet technology?

What is the interface of web based information for end-

The SAP Web-GUI
user

Î Web gate (WGate, resides on Web server)

What are the 2 main corposants of the ITS Î Application gate (AGate)

Single Host: Agate and Wgate on the same host (Web

Server)
ITS configuration: What is the difference between a
single host configuration and a dual host configuration?
Dual Host: Agate installed on a separated host

3 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com
What are the 7 layers of the OSI model?
Information sent across a network is not intended just for
a computer. It is intended for a program on a computer.
How are the programs distinguished?
Which command displays all connections and listening
ports on your computer?
What are the default SAP ports?
What are the ports used by the ITS?
4 
 
7 Application Layer: Program-to-Program (HTTP)
6 Presentation Layer: Manages data representation
5 Session Layer: communication channels
4 Transport Layer: end-to-end integrity (TCP, SPX)
3 Network Layer: Routes data, IP
2 Data Link Layer: physical passing data (Ethernet)
1 Physical Layer: putting data onto the network
These programs are distinguished by their port
netstat –a
Î Internet Communication Manager (ICM), port
8080
Î Dispatcher port 32<nn> (Front-End)
Î The message server port 36<nn> (Other SAP
Systems)
Î The gateway 33<nn> (External Systems)
Î Print service 515
Between the Client and the Webserver: 80 HTTP, 443
HTTPS
Between WGate and Agate: 3900 or 3909
Agate – Dispatcher : 32<nn> (Front-End)
Agate – Message server: 36<nn> (Other SAP Systems)
Agate – Gateway: 33<nn> (External Systems)
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

How is a system (or a combination of systems) called

that protects a networked system from unauthorized or A firewall
unwelcome access?

Packet Filters (Layer Network, Data Link).

Application Proxies (Application, Transport) -> SAP
What are the two most common types of firewalls?
Router as DIAG/RFC Proxy

Which SAP Product is used for DIAG/RFC Proxy? SAP router

Control and log the connections to your SAP system

Allow access from only the SAProuters you have
selected
Protect your connection and data from unauthorized
4 functionalities of the SAP router?
access
Only allow encrypted connection from a known
partner

SAP Router: Which file contains the list of connections

The file saprouttab
that are denied or permitted?

5 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

D|P|S]{#before,#after} <source> <target> <service>

{password}
D: Deny the connection
What is the structure of SAP Router file entry?
P: Permit the connection
S: Permit only SAP protocol connections

Which product is used as a "software Web switch"

between the Internet and your SAP systems (several The SAP Web Dispatcher
WAS) and Can be used as a URL filter.

DMZ stands for DeMilitarized Zone. A DMZ can be

described as a network added between a protected
What is a DMZ? network and an external network in order to provide an
additional layer of security.

Which kind of systems can notify the administrator of IDS, Intrusion Detection System
attempts to attack the network or system?

o Network based IDS

o Misuse detection (Virus)
What are the 2 types of IDS?
o Anomaly detection
o Host based IDS
o Host sensor

6 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

Which kind of servers translates the logical name into

the physical name, the domain name into the IP DNS
address?

What is the safeguard of Eavesdropping? Encryption

Symmetric encryption (single Secret Key)

Asymmetric encryption (Public, Private key)

What are the 3 types of encryption?
Combining Symmetric and Asymmetric Encryption
(Hybrid, public key, private key, secret key)

Transferring the secret key safely.

Distributing the secret key for a large number of
What are the 2 obstacles of symmetric encryption?
communication partners.

• It is slower than in symmetrical key encryption.

What are the 2 disadvantages of public key encryption? • Encryption is only possible in one direction with
a single key pair. Alice can encrypt a message
to send to Bob, but not vice versa.

7 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

What is the safeguard of Masquerading? Authentication (user ID/pwd or cryptography)

To authenticate individuals using cryptography, the

What is used to authenticate individuals using person receives a digital certificate. It can be compared
cryptography? to a Passport in the „real world“. „Digital Identity Card“

How is the complete infrastructure that manages the A Public-Key Infrastructure (PKI).
issuing and verification of certificates called?

• Specifies the Owner Identity

What is the use of the Distinguished name? • Found the owner certificate as subject

CN=Common Name,
OU=Organizational Unit,
What are the different parts of a distinguished name? O=Organization,
C=Country

8 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com
What are the 3 functions of the Certification Authority
How the CA is technically trusted?
The SAP also has a CA that issues digital certificates to
customers. How is the digital certificate issued by the
SAP Trust Center Services called?
Which safeguards answers to the threat of Tampering
(denial, message alteration)?
What 3 security goals answer the digital signature?
9 
 
Issues the certificate
The issued certificate is digitally signed by the CA
(official stamp)
Its role is to ensure that the public key (which matches
the private key) belongs to a specific person or server.
The CA also possesses a digital certificate, called a CA
root certificate.
Alice needs the CA’s root certificate to verify the digital
signature on the Web Server‘s certificate.
The most common CA root certificates are preinstalled in
the most widely-used Web browsers.
the SAP Passport
Digital signature
Integrity: Document has not been modified.
Authentication: Alice is who she claims to be.
Non-repudiation: Alice cannot deny having signed the
document.
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

Which key is used to create the digital signature The private key of the user

They reduce the size of a document, typically to a fixed

length (for example, 128 bits).
They are one-way: you cannot determine the original
3 characteristics of the hash algorithms?
document based on the digest.
They are unique: it is highly unlikely that a second data
source will produce the same hash

It is a storage location for the server security information.

That contains:
What contains the Personal Security Envrionment (PSE)
• Private key
• Server‘s public-key certificate
• Certificates of trusted CAs (certificate list)

Data leaves the SAP system

In which 4 cases Secure Store and Forward (SSF) Data is stored on insecure media
provides security for SAP data and documents? Data is transmitted over insecure networks
Data security is associated with persons and individuals

What 3 security goals answer SSF? Integrity, Privacy, Authentication

10 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com
What is the SAP default library to use SSF?
What is the SAP default library to use SNC and SSL?
What are the 5 master-user types?
What are the 3 authorization objects required to create
and maintain user master records?
What is the profile of the special user Eearlywatch?
11
 
SAP Security Library (SAPSECULIB) Default security
library provided by SAP to use for SSF
SAP Cryptographic Library (SAPCRYPTOLIB) Default
security library provided by SAP for SNC and SSL.
Dialog
System: used to run background jobs.
Communication: used for communication without dialog
between different systems (RFC/CPIC)
Service: allows multiple logon, no password check.
Reference: used only to assign additional authorizations
to Dialog users
• S_USER_GRP: user master maintenance:
assign user groups
• S_USER_PRO: user master maintenance:
assign authorization profile
• S_USER_AUT: user master maintenance:
create and maintain authorizations
S_TOOLS_EX_A
 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

Which User information system report monitors the

RSUSR003
passwords of all predefined users?

Which user group should be assigned to the users SAP*,

user group SUPER
DDIC, EARLYWATCH?

You can use the system profile parameters (login*)

Invalid passwords can be entered in the table of
What are the 2 ways in which you can define the choice
reserved passwords USR40
of user passwords?
ƒ ? denotes a single character
ƒ *denotes a character string

Which two profile parameters control the deactivation of login/disable_password_logon and

password-based logon? login/password_logon_usergroup

Which profile parameter refuses incoming connections of

login/disable_cpic
type CPIC(Gateway)

12 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com
Which profile parameter set the time for automatic
SAPGUI logout?
What are the 4 types of RFC connections?
Which transaction code allows you to monitor the SAP
Gateway?
Where an RFC destination system should be specified
for outgoing connections (side infos) and with which
transaction can it be maintained?
Four advantages of a trusted relationship between SAP
systems
13
 
rdisp/gui_auto_logout
• Synchronous RFC (the client waits until the
server has completed its processing) Between
SAP systems and from WAS
• Asynchronous RFC (Parallel processing)
• Transactional RFC (Secure communication
between) systems
• Queued RFC (Defined processing sequences)
Transaction SMGW available from Release 3.0C
RFCDES maintained with transaction sm59
• Single sign on is possible beyond system
boundaries
• No passwords are transmitted in the network
• Timeout mechanism protects against replay
attacks
• User-specific logon data are checked in the
trusting system
 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

True, The trust relationship is not mutual, which means

The trust relationship is not mutual (t/f)?
it applies to one direction only.

• You can use the SAP gateway’s secinfo file to

Which file can be used in order to secure the RFC
control the start-up and registration of
connection?
external RFC and CPI-C programs.

Which profile parameters define the location of the

gw/sec_info
secinfo file?

Which program start the external command after it has

Sapxpg
passed the gateway?

Which authorization object is needed to maintain

S_RZL_ADM with activity 01 and 03.
external commands?

14 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

Which authorization object is needed to execute external

S_LOG_COM
commands?

What should you specify in order to allow the execution You must specify an entry of the program sapxpg in the
of external command? file secinfo

• Connect systems with the same security level

• Allow function modules to be called via RFC
• Use authorization object S_RFC
• Use users type Communication
7 measures to protect an RFC connection
• Specify full logon data for connections to other
SAP systems only if necessary
• Specify secinfo file appropriately
• Protect files and tables containing side info

• Development and customizing client (CUST)

What are the 3 SAP standard systems contained in a • Sandbox client (SAND)
DEV system? • Test client (TEST)

What is the default change option of the 2 QA default

not modifiable
systems (test and training)?

15 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

What are the two levels of SAP change options that • The system change option
define whether customizing and development is • The client change option
available?

Which transaction displays the history of the system

SE03
change options?

True, Rather the client change option is used to fine

The client change option does not override the
tune the clients’ role within the SAP environment.
system change option (t/f)?

Use the transaction code SCC4 that woks on table

How to set the client change option?
T000

Set the protection level in transaction SCC4 at least to

How to protect your production client against overwriting
level 1 no overwriting.
by a client copy?

16 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

You should choose level 2 no overwriting, no external

How to protect your production client against a cross availability. In this case the client is not available in the
client comparison? customizing cross-system viewer of another system.

What are the 2 fields of the authorization object DICBERCLS

S_TABU_DIS ACTVT

What is the field of the authorization object S_TABU_CLI CLIIDMAINT

• DEVCLASS
• OBJTYPE (PROG)
What are the 5 fields of the authorization object
• OBJNAME
S_DEVELOP
• P_GROUP
• ACTV

1. Define QA system (Prerequisite: between 2

What are the 2 steps needed to configure the QA systems)
approval procedure? 2. Define QA procedure (QA worklist)

17 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

What is the transaction to display an overview of the

modifications and enhancement found in the system that
SE95 (Modification browser)
you can search by Last transport request or
Request/Task?

What is the transaction to maintain and activate the

SM19
security audit log?

If parameter rsau/max_diskspace/per_file is used,

What happened to the profile parameter rsau/local/file if
parameter rsau/local/file is no longer valid and will no
the profile parameter rsau/max_diskspace/per_file is
longer be analyzed. Parameters DIR_AUDIT and
used?
FN_AUDIT are used instead

What is the profile parameter to define the maximum of

rsau/selection_slot
filters that can be used?

o Dialog log-on attempts

o RFC log-on attemps
o Transaction starts
6 types of information that can be recorded with the
o RFC calls to functions module
security audit log?
o Change to user master record
o Change to the audit configuration

18 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

o User
o Audit Classes
4 types of security audit log filters? o Client
o Security Level (Only critical, Severe and critical,
all)

Which transaction allows you to view the assignments of

the events to audit classes and security levels with the
SE92 (Display system log messages)
system log message maintenance

How to display the results of the security audit log

SE20
(transaction)?

The reports of the user information system start with? RSUSR + #

Communication to and from the SAP system

Communicates using the SAP protocols RFC and DIAG.
ITS: What are the 4 main functions of the A gate? Generating the HTML pages from SAP screens
Managing user logon data and session information

19 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

Connects the ITS to the Webserver

ITS: What are the 2 main functions of the Wgate
(Webserver)? Use the HTTP protocol

An ITS service is the set of components needed to call

What is an ITS service?
an SAP transaction via the ITS

How do you protect access to the ITS service and

Using groups at the operating system level
template files?

• Single Wgates connects to multiple Agates

• Separate WGates connects to single Agate
• Multiple WGates connects to multiple Agates
ITS, scalability and load balancing, what are the 6
• ITS connects to single Application server
possible landscape?
• Multiple ITS instances connect to single systems
• ITS connects to message server (Load
balancing)

• Firewall in front of the Web server to deny access

using undesired protocols
In a dual host installation, where do you use firewalls?
• Firewall between the Web server and the AGate to
restrict access even more.

20 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

• Authentication between the components

What is the goal of SNC in an ITS environment? • Integrity protection
• Privacy protection

What is the SNC default security product? SAP Cryptographic Library(SAPCRYPTOLIB)

SNC: Where are the private keys stored? In the SNC PSE

• Either use a single PSE for all communication

What are the 2 possibilities to establish a trust when
partner
using the SAPCRYPTOLIB?
• Exchange public-key certificates

What is the transaction to maintain the SNC PSE? Use the trust manager Æ S_Trust

21 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

1. sec/libsapsecu, specify the location of the

SAPCRYPTOLIB
What are the 3 trust manager profile parameters? 2. ssf/ssfapi_lib, specify the location of the
SAPCRYPTOLIB
3. ssf/name must be set to SAPSECULIB

1. Install SAPCryptoLib + license ticket (SECUDIR)

2. Set trust manager profile parameters
3. Create (or import) the SNC PSE
4. Create credentials
What are the 7 steps to enable SNC on the ITS?
5. Establish trust relationship
6. Set SNC profile parameters
7. Make access control list entries

What is the table for the SNC System access control list SNCSYSACL

What is the table for the Extended user Access control USRACLEXT

• Library could not be loaded

Testing and analyzing: SNC information is provided in
• No credentials
trace files. What are the 3 most common errors?
• No entry in ACL

22 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

• User Id and passwords

• X.509 client certificates
What are the 3 user authentication mechanisms?
• Pluggable Authentication Services PAS Æ
External mechanisms

X.509 client certificates: which table is responsible for

the user mapping? USREXTID

• SAP GUI for Windows Æ SNC

What are the 2 different worlds for SSO? • Web ÆSSL

SSO, Web: How is the SAP Logon ticket stored in the Stored as non-persistant session cookie in the web
web-browser? browser (named MYSAPSSO2)

User Id,
Validity period,
What 4 information contains the sap logon ticket?
Issuing System ID,
Issuing system’s digital signature

23 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

same DNS,
What are the 3 constraints of the logon ticket? user Id identical in all systems,
user must accept session cookies

How is the integrity and authenticity of the logon ticket It is Digitally signed by ticket issuing server to provide
protected? integrity and authenticity protection

Maintain the configuration using transaction SSO2 and

How to maintain the configuration of the logon tickets?
STRUSTSSO2

Yes, SSO to non-SAP Components possible with SAP

Is SSO to non SAP components possible with SAP logon Tickets. 2 options:
tickets? o API Interface
o Web Server Filter (HTTP header field)

Profile parameters to configure

What are the 2 profile parameters used to configure sso
• Login/create_sso2_ticket
with sap logon tickets?
• Login/accept_sso2_ticket

24 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

1. The user enters the URL for the PAS service

2. The user provides user authentication info
3. The external authentication mechanism verify the
users information
What are the 6 steps of the PAS authentication process?
4. The ticket-issuing system maps the external user
ID to the SAP user ID
5. The user is issued a logon ticket
6. The Agate redirects the user to the service

• Install SAP package ntauth.sar

• Set the Service file parameters
What are the 3 steps to install the PAS?
• Maintain user mapping. Maintain table
USREXTID Report (RSUSREXTID)

• Using logon tickets, ITS and SAP shortcuts

• Logon tickets is passed to the SAP shortcuts
How to combine the 2 worlds (SAP GUI and web)? using ITS service wngui
• Only from web to traditional (traditional to
web not supported)

• SAP Web AS as client component

2 roles that the web application server (WAS) can play?
• SAP Web AS as server component

The Internet Communication Manager (ICM)

• Ensures communication between the SAP
system (SAP Web Application Server) with the
2 main components of the web application server outside world using the HTTP, HTTPS and
(WAS)? SMTP protocols.
The Internet Communication Framework (ICF)
• Provides the framework for implementing the
SAP Web AS applications.

25 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

What is the transaction of the ICM monitor? SMICM

• Start and Stop the ICM

• Set trace level, view logs
• View profile parameters settings (starts with icm)
7 activities of the ICM monitor? • View statistics
• View memory pipe information
• View active services
• Monitor service cache

What is the transaction of the Internet Communication

ICF, transaction SICF
Framework (ICF)?

• Display HTTP hierarchical tree

• Create and maintain BSPs (SE80, view and test
4 activities of the ICF with transaction SICF (Maintain BSP)
services) • Create virtual hosts
• Activate/Deactivate service (activate only the
necessary services)

• Redirection. User is redirected to the server in

backend (simple but not user friendly)
• DNS based method. Look-up to root clients to
Load balancing: 3 different mechanisms: servers based on IP address
• Load-balancing device. Receive request and
directs them to server in the backend.
Transparent for the client (the same URL and ip)

26 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

The network connection last for the duration of a

user session (HTTP is a stateless protocol,
What is a stateful user section vs a stateless?
successive requests may open a new network
connection)

Session ID (Either in web browser cookie or into the

user´s URL) -> SSL doesn´t work
What are the 2 options and the properties of a stateful
user session?
IP Address of client -> SSL Ok (but an issue with
proxy)

• End to end SSL. The server supports both

privacy protection using encryption as well as
user authentication using client certificates.
2 types of load balancing with SSL and their properties? Must use the client IP address for session
persistence
• Terminating SSL. Terminate the SSL
connection at the load balancer

+ Better performance
What are the pros and cons of a Terminating SSL with
+ Session cookie can be used
load balancing?
- Less security

• Message Server-based redirection

• Dispatcher or Load-Balancer
• SAP Web dispatcher
5 Scenarios of load-balancing with the WAS?
• Alternative technologies
• Combining technologies (Web switch and web
dispatcher)

27 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

If the load balancer directs the user to a different server

for subsequent requests, then the second server would
What is the problem of a stateful load-balancing
not know what had already occurred on the first server.
connection?
Session context information is lost! (conflict between
the application)

• Hardware load balancer

• Web switch
3 kinds of alternatives technologies for the load • Reverse proxy
balancing o you can route incoming requests to
different services based on the URL
path

• Specify Plug-in
• Specify Server Port
SSL encryption with WAS. 4 info to specify with the help
• Specify whether to use client certificate
of profile parameters?
• Specify location of sap cryptolab

o Standard SSL server PSE (Basis for

creating individual SSL server PSE‘s for
What are the 3 types of SSL Server PSE each host to use)
o Individual SSL server PSE
o Shared SSL server PSE

1. Create the SSL Server PSE (STRUST)

2. Specify the PSE for each application server
3. For each unique PSE
4 steps to enable SSL on the SAP Web As (Client or a. Generate a certificate request,
server)? b. send the request to a CA
c. import the certificate request response
4. Establish the necessary trust relationship with
CA certificates

28 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

• Standard SSL client PSE (Must exist for SSL to

work)
3 kinds of SSL client PSE
• Anonymous SSL client PSE (CN=anonymous)
• Individual SSL client PSE

• SM59, maintain HTTP destination

• Activate SSL and specify which SSL client PSE
to use
3 configuration steps to specify that a connection use
• Type G: To a different Web server
SSL.
• Type H: To another SAP Web AS
• If SSL client authentication is to be used, select
Basic Authentication.

1. Install the SAP Cryptographic library

2. Create the SNC PSE
4 steps to enable SNC on the SAP Web As
3. Specify access control list (ACL) entries
4. Set profile parameters

Which table Specifies which systems are allowed to

SNCSYSACL
connect to the SAP system using SNC?

Which table specify the users that can log on to the

USRACL
system using SNC?

29 
ADM960 – SAP Security consultant certification flashcards – julien.moix@gmail.com 

Which table specifies that WebRFC users can log on

USRACLEXT
using the AGate‘s SNC-protected connection?

• Activate SNC (snc/enable)

• Set level of protection (snc/data_protection/max)
• Accept RFC and DIAG connection that are not
4 SNC profile parameters?
protected with SNC (snc/accept_insecure_gui)
• Use external authentication
(snc/extid_login_diag)

• Corporate Directory server (for authentication)

• Portal Directory Server (Portal related user and
3 components of the portal user and role management? group properties)
• Portal Content Directory (content Æ role
assignment)

User Id/Password (Form based iView)

3 enterprise portal authentication mechanisms:
X. 509 digital certificate
Third party authentication (Windows)

30